1. TLS and
ITIS 3110

2. overview Simple Mail Transport Protocol (SMTP)
Transport Layer Security (TLS)
Sending
Simple Mail Transport Protocol (SMTP)
A myriad of problems and a multitude of solutions
Inbound
Post Office Protocol (POP)
Internet Message Access Protocol (IMAP)

3. tls

4. transport layer security
Security Protocol
Formerly provided by Secure Socket Layer
SSL
Provides
Authentication
Confidentiality
Integrity
Widely used on the Internet

5. tls history SSL originally developed at Netscape
SSL Version 2.0 was first public release (1995)
SSL Version 3.0 soon followed (1996)
Corrected various security flaws of 2.0
TLS first defined in 1999
Not backwards compatible with SSL

6. TLS has two modes of operation Implicit Explicit

7. implicit mode Runs on a separate port from non-encrypted traffic
Deprecated from many protocols
e.g. HTTP (80/tcp) vs. HTTPS (443/tcp)

8. explicit mode Requires application be TLS aware
One port to rule them all
Communications start unencrypted
Client sends a ‘STARTTLS’ to initiate encrypted session
e.g. IMAP, LDAP, POP3, SMTP

9. tls handshake Client opens connection to server
Client and server agree on protocol version
Negotiate cryptographic algorithms to use
Client authenticates server’s digital certificate
Server can optionally authenticate a client’s certificate
Asymmetric encryption used to share session key
Session key is symmetric
Symmetric encryption is faster than asymmetric

10. tls handshake

11. tls: trust Trust is handled by Certificate Authorities (CA)
CAs act as a trusted third party
Verify your identity and issue a signed certificate
SSL clients are usually pre-loaded with trusted CAs
e.g. Verisign
Certificates are verified by walking the certificate chain to a trusted certificate authority

12. tls: implementations OpenSSL is de facto standard on Linux
Has indispensable command line utility
Note the Heartbleed vulnerability
Heartbleed in itself is not “dangerous”
The danger is in other programs that are not securely written
E.g. those that do not clear memory of sensitive information after it is not needed anymore.\
Supports connecting to any TLS Socket
STARTTLS support for FTP, IMAP, POP3, SMTP
GnuTLS is up and coming

13. smtp

14. How many protocols does it take a geek to send and read email?1 2 3
4 or more

15. simple mail transport protocol
Mail delivery protocol
Handles submission from users
Handles delivery to other SMTP servers and to user mailboxes
‘Store and forward’

16. smtp history de facto standard for delivering E-Mail on the Internet
Defined by RFC 821 in 1982
Obsoleted by RFC 2821 in 2001
Obsoleted by RFC 5321 in 2008
Protocol in use today is known as ESMTP or Extended SMTP

17. smtp ports 25/tcp 587/tcp Relaying of mail between servers
Submission of mail from users
587/tcp
Newer, not supported by all servers

18. smtp port 587 Thank SPAM privilege separation
Access to port 25 often blocked by ISPs and firewalls
Thank SPAM
Port 587 was defined as an alternate submission port
Not all servers support port 587
Increases mail server security
privilege separation

19. privilege separation Hypothetical example: Port 587 Port 25
Supports TLS
User authentication
Accepts mail from authenticated users
Forwards it to other SMTP servers
Port 25
Can accept mail from other SMTP servers
If this host is the final destination
Places mail in users’ mailboxes

20. smtp protocol Simple, text-only protocol Push only:
Sender pushes mail to receiver
Stops at the recipients server
Has few control messages
is mainly passed as-is
Some info added

21. smtp conversation to send an email
(client connection to smtp server)
220 ESMTP Postfix
HELO mydomain.com
250 Hello mydomain.com
MAIL
250 Ok
RCPT
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test message
From:
To:
Hello,
This is a test.
Goodbye. .
250 Ok: queued as 12345
QUIT
221 Bye
The <cr><lf>.<cr><lf>

22. smtp addressing To: and From:
Those “headers” in an body are not really used!
The ‘envelope sender’ and ‘envelope recipient’ are used for the addresses
Envelope sender:
MAIL FROM
Envelope recipient:
RCPT TO
SMTP’s MAIL FROM and RCPT TO
Akin to the address on an envelope
’s To: and From: headers
Akin to the address on the letterhead in the letter

23. extended smtp SMTP proper has fairly limited capabilities
Allows a smtp client and server to negotiate what extensions to use
Some extensions are:
TLS encryption
User authentication
Delivery status notification

24. esmtp conversation (client connections to smtp server)
220 example.hades.lab ESMTP Postfix
EHLO
250-example.hades.lab at your service, [ ]
250-SIZE
250-DSN
250-STARTTLS
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-PIPELINING
250 HELP

25. esmtp usage
ESMTP should only be attempted if the server’s introduction contains the string ‘ESMTP’
If you want to use ESMTP
Send EHLO in place of the HELO in your greeting
The server will return a list of supported extensions
The client can use any supported extension presented
Supported by the client, that is

26. selected esmtp extensions
SIZE int
server will accept any under int size
DSN
client can request delivery status notification of the server
e.g. notify when the mail is delivered to a user’s mailbox
AUTH
server supports user authentication

27. selected esmtp extensions
STARTTLS
Server supports encryption
Using STARTTLS resets connection to the initial state on an encrypted socket
EHLO must be reissued
Note:
Server may support different ESMTP extensions once STARTTLS has been issued

28. selected esmtp extensions
PIPELINING
server supports client sending certain commands in batches without waiting for the server to acknowledge every command individually

29. determining smtp server
We have talked a lot about the protocol, but not how to choose what server to send an to
Two basic methods:
Smart host
All mail is forwarded to a single mail server
Configured by the administrator
Envelope sender
MX record for envelope sender’s domain is looked up via DNS

30. mx records MX records list valid mail servers and their priority
Lower (numeric) priority servers are used first
Servers with the same priority are accessed in a round-robin fashion
Servers with higher priorities are only used if lower servers can not be contacted

31. example mx record Which server gets the second email?
uncc.edu. 643 IN MX 10 mxb gslb.pphosted.com.
uncc.edu. 643 IN MX 40 ironhost1.uncc.edu.
uncc.edu. 643 IN MX 40 ironhost2.uncc.edu.
uncc.edu. 643 IN MX 10 mxa gslb.pphosted.com.
Notes:
Records can be in any order
Smaller numbers get priority
If a small number MX is not available mail goes to next larger number
If a number is repeated the servers are treated equally, round-robin
Which server gets the second ?
If the network to gslb.pphosted.com sub-domain is down which server gets the first ?
The second?
The third?

32. smtp headers SMTP servers typically add many headers to an E-Mail
Some are familiar:
CC, BCC, Date, From, To, Subject
Most are hidden by mail clients

33. smtp headers Received Shows the path a message travelled
Every server that touches an prepends this header
Contains a lot of information about each server

34. smtp headers
Received: from exfe03.its.uncc.edu ([ ]) by EXEVS01.its.uncc.edu with Microsoft
SMTPSVC( );
Tue, 8 Feb :21:
Received: from mx0a pphosted.com ([ ]) by exfe03.its.uncc.edu with Microsoft
Tue, 8 Feb :21:
Received: from pps.filterd (m [ ])
by mx0a pphosted.com (8.14.4/8.14.4) with SMTP id p18HAASb013706
for Tue, 8 Feb :21:
Received: from mailserver3.caci.com (mailserver3.caci.com [ ])
by mx0a pphosted.com with ESMTP id ub8ru8c2t-1
(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT)
for Tue, 08 Feb :21:
Received: from excas-hub01.caci.com ([ ])
by mailserver3.caci.com with ESMTP/TLS/AES128-SHA; 08 Feb :21:
Received: from exclu05.caci.com ([fe80::b88b:dd8b:f8d7:95d2]) by
excas-hub01.caci.com ([ ]) with mapi; Tue, 8 Feb :21:

35. smtp headers Reply-To Thread-Topic, Thread-Index
address that replies should be sent to
May be different than From: address
Thread-Topic, Thread-Index
Help threaded mail clients keep track of related conversations

36. Which mail server would get the second received mail on the system:…
uncc.edu. 643 IN MX 10 mxb gslb.pphosted.com.
uncc.edu. 643 IN MX 40 ironhost1.uncc.edu.
uncc.edu. 643 IN MX 40 ironhost2.uncc.edu.
uncc.edu. 643 IN MX 10 mxa gslb.pphosted.com.
ironhost1.uncc.edu.
ironhost2.uncc.edu.
mxa gslb.pphosted.com.
mxb gslb.pphosted.com. 12
30 sec countdown

37. multipurpose internet mail extensions
MIME is an encapsulation method
Most is MIME encapsulated
Used for:
attachments
HTML
inline images
non US-ASCII character encodings
Use not limited to

38. mime One mime E-Mail can encapsulate multiple objects:
in pure text
in HTML
Inline Images
Attachments

39. mime encodings Each part of a MIME message has an associated encoding
Default encoding is 7bit, same as SMTP
Other available encodings are:
8bit
quoted-printable
base64
binary

40. mime encodings
7bit
Only 7 bits of every octet in the content are important
Implies text is only ASCII
8bit
All 8 bits in every octet of the content are important and must be preserved
May be binary or extented character sets

41. mime encodings quoted-printable Content is mostly 7bit US-ASCII
Non 7bit characters are encoded to satisfy 7bit encoding
binary
All bits of every octet are used by the content
No character translation should occur
Not useful with SMTP as SMTP server may not honor it

42. smtp security Historically SMTP servers have had horrible security
2 November The Morris Worm
First acknowledged worm on the internet
Attacked vulnerabilities in sendmail and finger
Cornell student developed the program to try to count the number of mail servers on the Internet.
In essence, the The Morris Worm was designed to do absolutely nothing except spread, but because it had a bug, it caused a bunch of processes to consume the mail servers and shut them down.
Estimated damage was between $100k and $10 million
With all this cleared out of the way, one may be wondering what the Worm DID do to cause as much fuss as it did. Actually, the intention of the worm (judging from decompiled versions of its code and the statements of its designer) was to do nothing at all. At least, nothing visible. The worm was designed simply to spread itself to as many computers as possible without giving the slightest indication of its existence. If the code worked correctly, it would have been only a tiny process continually running on computers across the internet. However, the code didn't work perfectly. Apparently, at the time the virus was released, there were still a number of bugs in the code. In addition it is believed that the programmer underestimated the degree to which the Worm would propagate. (For more details on this part, see our section on how the Worm worked.) The result is that these seemingly innocuous processes, which didn't take up much processor time individually, began to put a strain on a system as more and more processes infected the same machines. At a surprisingly swift rate, an infected machine began to be slowed as more and more copies of the worm each tried to perform its function.

43. sendmail Sendmail: Avoid using it if at all possible
Original mailer daemon
Avoid using it if at all possible
Any program that requires a macro language to generate its configuration is too complex
Many alternatives exist
We will be using postfix in the lab

44. problems with e-mail Message Source (original sender)
Message Integrity (tampering)
Message Confidentiality (spying)

45. spam Unwanted E-Mail, exists because it is profitable
Abuses many parts of SMTP to send mail
Forging sender and headers
Using open relays
May utilize botnets of hacked machines to send large volumes of mail

46. blacklist
Database mail servers can consult to block addresses from sending
Usually IP addresses
e.g database of known SPAM hosts or database of cable modems
Reactive technology:
A host must do something wrong to be added to a blacklist
Often implemented using DNS
Records are stored using reverse IP
Why are reactive security technologies not the best solution?

47. spamhaus.org http://www.spamhaus.org/zen/
Example DNS blacklist service
Provide ‘zen block list’
Combination of several of their block lists
‘dig zen.spamhaus.org’
Looks up in the zen block list

48. whitelist
Database of addresses that are always permitted to send
Usually addresses
Often implemented as
A text file or simple database
On the mail server

49. greylisting
Method to temporarily reject an inbound messages from unknown senders
Server sends a transient error to sender
e.g. ‘Mailbox temporarily unavailable’
Envelope sender is added to a whitelist after a waiting period has elapsed (e.g. 5 minutes)

50. greylisting
Works because SPAM systems rarely retry to send delayed by transient failures
Standard servers will retry for up to several days
Can delay mail anywhere from 15 minutes to four hours
Depends on time taken to add sender to whitelist and retry interval of sender
How can greylisting be exploited by spammers?

51. spf
Sender policy framework

52. sender policy framework
Client validation system
Verifies envelope sender is permitted to send mail on behalf of the domain
Only verifies IP address in practice
Aims to prevent rogue mail servers
SPF provides no information about the contents of an

53. sender policy framework
More description of SPF on separate slides
Extra set of slides
You will be responsible to be able to decipher SPF records

54. how spf works SPF is stored in DNS A SPF record type is available
Its use is not widespread
Using a TXT record is more common

55. how spf works
A SPF record designates permitted and rejected sender(s) for a domain
Mail from a non-permitted sender may be safely rejected

56. what spf checks SPF evaluation performed on two pieces of information
Client address
Client IP address
Client is retrieved or derived from
Envelope sender (MAIL FROM)
HELO/EHLO host name

57. what spf checks Evaluation is always performed on envelope sender
Evaluation should be performed twice if envelope sender and HELO domains differ
The RFC is unclear on how to merge the results of the evaluations
Likely that the ‘best’ outcome is accepted

58. reading spf records Always start with ‘v=spf1’ Read left-to right
Evaluation stops when a mechanism is matched
Last element of a SPF record should always be an ‘all’ or a ‘redirect’
If no mechanisms are matched, the result returned is ‘Neutral’

59. example spf records (Note: this is 3 lines wrapped)
gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com"
_spf.google.com. 107 IN TXT "v=spf1 ip4: /19 ip4: /19 ip4: /20 ip4: /18 ip4: /17 ip4: /20 ip4: /16 ip4: /20 ip4: /20 ip4: /16 ?all”
hotmail.com IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"

60. spf header
SMTP servers should add a ‘Received-SPF’ header to any where a SPF record was checked
The Received-SPF header should contain the result of the SPF check

61. example spf headers Received-SPF: Pass (mybox.example.org: domain of
designates as permitted sender)
receiver=mybox.example.org; client-ip= ;
helo=foo.example.com;
Received-SPF: Fail (mybox.example.org: domain of
does not designate
as permitted sender)
identity=mailfrom; client-ip= ;

62. spf example

63. spf example Example shows SMTP server acting on SPF directly
Some servers may still accept mail and use SPF result in SPAM calculations
Some servers may ignore SPF entirely
Client IP
Server’s Response
reject mail
accept mail
Client IP
Server’s Response

64. spf limitations Only works well if everyone uses it
Only prevents mail from unauthorized hosts
Even then only if servers check it
Does not verify the sender, only their domain
Does not verify the contents of a message
SPAM can (and will) still find a way
Why does SPF only work well if everyone uses it?

65. sender id

66. sender id Microsoft Sender ID is a superset of SPF MS owns the patents
Many open-source projects are wary of implementing it despite Microsoft’s promises

67. sender id Sender ID has two modes of operation
mfrom - validates envelope sender, just like SPF
pra - validates Purported Responsible Address

68. sender id’s pra
Purported Responsible Address is address of most likely responsible party
Derived by applying heuristics to a number typical headers
Defined in RFC 4407

69. sender id problems
Sender ID violates SPF specification by trying to use a SPF record to verify the PRA
Recommended practice is to add an empty Sender ID PRA record to prevent evaluation of your SPF record in determining PRA
‘spf2.0/pra ?all’

70. sender id recommendations (per jason watson)
I do not feel it adds much value to pure SPF
I recommend a neutral PRA record to prevent unintended consequences of Sender ID evaluating your SPF record
mfrom will still evaluate your SPF record in the same manner as pure SPF

71. Misc.

72. reading
Many Legacy UNIX mail readers access the mail spool directly
Only works locally on the mail server
Useful for debugging

73. local mail readers mail mutt less The original, brain-dead reader
Decent command line mail reader
For a certain definition of ‘decent’
less
When all else fails you can read the mail spool directly (/var/spool/mail/$USER)

74. post office protocol POP3 is a mail retrieval protocol tcp/110
Mainly used by ISPs
Messages are usually downloaded to client
Deleted from server after download
Only designed to support one user using one device

75. internet message access protocol
IMAP is a mail access protocol
tcp/143
Used by universities and corporations
Messages are stored on server

76. imap features Supports multiple clients and concurrent access
Note: that is for a single user
Message state (e.g. unread, flagged) is stored on the server
Supports organizing mail into folders